The 2022 revision of ISO 27001 restructured Annex A from 114 controls across 14 domains into 93 controls across four categories. The change is not cosmetic. Eleven controls are entirely new, 57 were merged into 24, and every remaining control received updated language that reflects how organisations actually manage information security today. If your Information Security Management System (ISMS) still references the 2013 version, the transition deadline has passed and your next surveillance or recertification audit will be assessed against the 2022 standard. This guide explains what changed in ISO 27001:2022, what the new controls require, and what your organisation needs to do to align.
What Changed in ISO 27001:2022?
The most visible change is the restructuring of Annex A. The 2013 version organised 114 controls across 14 domains (A.5 through A.18). The 2022 version consolidates these into 93 controls across four thematic categories. This is not a reduction in scope. The lower number reflects merging of overlapping controls, not removal of requirements.
Three types of changes occurred:
- 11 new controls were added to address areas that the 2013 version did not cover, including threat intelligence, cloud security, data masking, and monitoring activities.
- 57 controls were merged into 24, eliminating redundancy where multiple 2013 controls addressed the same risk from slightly different angles.
- 58 controls were updated with revised language, clarified scope, or expanded guidance, but remain substantively the same.
The management system clauses (Clauses 4 through 10) also received minor updates. The most notable addition is Clause 6.3, which now explicitly requires organisations to plan changes to the ISMS in a structured way. The requirements for monitoring, measurement, and evaluation in Clause 9 were also tightened.
For a full reference of every control in the current standard, see the complete ISO 27001 Annex A controls list.
The New Annex A Structure: Four Categories
The 2013 structure grouped controls into 14 domains based on functional areas: access control, cryptography, physical security, operations security, and so on. The 2022 version replaces this with four broader categories.
| Category | Section | Number of controls |
|---|---|---|
| Organisational | A.5 | 37 |
| People | A.6 | 8 |
| Physical | A.7 | 14 |
| Technological | A.8 | 34 |
The rationale for this restructuring is practical. The 14-domain structure often split related controls across multiple sections, making it difficult for organisations to see the full picture for a given risk area. The four-category model groups controls by who is responsible and what type of measure is involved, which maps more naturally to how organisations assign ownership and implement controls internally.
This restructuring also aligns Annex A more closely with ISO 27002:2022, which provides the detailed implementation guidance for each control. ISO 27002 was updated first (in February 2022), and the Annex A revision followed to match.
The 11 New Controls
The 11 new controls address gaps in the 2013 standard. These are areas where the threat landscape, technology adoption, or regulatory environment evolved faster than the standard. Every organisation certifying or recertifying against ISO 27001:2022 must assess these controls and include or exclude them in the Statement of Applicability (SoA) with justification.
A.5.7 — Threat intelligence. Requires organisations to collect, analyse, and act on information about information security threats. This moves threat intelligence from a discretionary activity to a formal control with defined responsibilities and processes.
A.5.23 — Information security for use of cloud services. Requires a defined process for acquiring, using, managing, and exiting cloud services, with security requirements specified for each. Organisations already managing ISO 27001 in cloud computing environments will recognise the substance, but this control makes it a standalone requirement.
A.5.30 — ICT readiness for business continuity. Requires ICT systems to be planned, implemented, maintained, and tested to support business continuity objectives. This is more specific than the general business continuity controls in the 2013 version.
A.7.4 — Physical security monitoring. Requires premises to be continuously monitored for unauthorised physical access. This was implicit in the 2013 version but is now an explicit, auditable control.
A.8.9 — Configuration management. Requires documented configuration baselines for hardware, software, services, and networks, with configurations managed throughout their lifecycle.
A.8.10 — Information deletion. Requires information stored in systems, devices, or any other storage media to be deleted when no longer required. This aligns with data minimisation principles in GDPR and similar privacy regulations.
A.8.11 — Data masking. Requires the use of data masking techniques in accordance with the organisation’s access control policy and business requirements. Relevant for organisations handling personal data in development, testing, or analytics environments.
A.8.12 — Data leakage prevention. Requires measures to detect and prevent the unauthorised disclosure of information. This formalises Data Loss Prevention (DLP) as a control rather than leaving it as an implementation choice under broader data protection controls.
A.8.16 — Monitoring activities. Requires networks, systems, and applications to be monitored for anomalous behaviour, with appropriate actions taken when potential incidents are detected.
A.8.23 — Web filtering. Requires management of access to external websites to reduce exposure to malicious content.
A.8.28 — Secure coding. Requires secure coding principles to be applied in software development. This was partially covered by development-related controls in the 2013 version but now has its own dedicated control with specific requirements.
Control Attributes: A New Classification System
ISO 27001:2022 introduces a control attribute system that did not exist in the 2013 version. Each control is now tagged with five attributes that provide additional ways to view and filter the control set.
- Control type: Preventive, Detective, or Corrective
- Information security properties: Confidentiality, Integrity, or Availability
- Cybersecurity concepts: Identify, Protect, Detect, Respond, or Recover (aligned with the NIST Cybersecurity Framework)
- Operational capabilities: Governance, Asset Management, Human Resource Security, Physical Security, System and Network Security, Application Security, Secure Configuration, Identity and Access Management, Threat and Vulnerability Management, Continuity, Supplier Relationships Security, Legal and Compliance, Information Security Event Management, and Information Security Assurance
- Security domains: Governance and Ecosystem, Protection, Defence, or Resilience
These attributes are not auditable requirements. An auditor will not ask whether you have categorised your controls by attribute. Their purpose is operational: they give security teams alternative ways to slice the control set when building dashboards, assigning ownership, or mapping to other frameworks. The “Cybersecurity concepts” attribute, for example, maps directly to the NIST CSF functions, which simplifies cross-framework alignment for organisations that maintain both ISO 27001 and a NIST-based security programme.
What This Means for Your ISMS
The transition deadline for existing ISO 27001:2013 certificates was 31 October 2025. Organisations that have not yet transitioned are operating on an expired standard and must complete the transition at their next audit. For organisations certifying for the first time, all new certifications are issued against the 2022 version.
The practical work involved in transitioning includes:
- Update the Statement of Applicability. The SoA must reflect the 93 controls in the 2022 structure. Each of the 11 new controls must be assessed for applicability and either included with implemented controls or excluded with documented justification.
- Remap existing controls. Controls that were merged or renumbered need to be traced from their 2013 reference to their 2022 equivalent. The control substance is largely the same, but the numbering, grouping, and in some cases the language has changed.
- Implement new controls where applicable. The 11 new controls may require new policies, procedures, or technical measures. Threat intelligence (A.5.7), cloud security (A.5.23), and data leakage prevention (A.8.12) are the most common gaps for organisations transitioning from 2013.
- Update documentation. Policies, procedures, and risk management frameworks that reference specific Annex A control numbers will need to be updated to reflect the new numbering scheme.
- Conduct an internal audit. Before the certification or surveillance audit, run an internal audit against the 2022 standard to identify any remaining gaps.
For most organisations with a mature ISMS, the transition is a documentation and gap-filling exercise, not a fundamental redesign. The 11 new controls are the primary area of new work, and several of them formalise practices that many organisations already follow informally.
Frequently Asked Questions
How many controls are in ISO 27001:2022?
ISO 27001:2022 Annex A contains 93 controls, organised into four categories: Organisational (37), People (8), Physical (14), and Technological (34). This is a reduction from the 114 controls across 14 domains in the 2013 version, primarily due to merging overlapping controls rather than removing requirements.
What are the 11 new controls in ISO 27001:2022?
The new controls are: Threat intelligence (A.5.7), Information security for cloud services (A.5.23), ICT readiness for business continuity (A.5.30), Physical security monitoring (A.7.4), Configuration management (A.8.9), Information deletion (A.8.10), Data masking (A.8.11), Data leakage prevention (A.8.12), Monitoring activities (A.8.16), Web filtering (A.8.23), and Secure coding (A.8.28).
Is ISO 27001:2013 still valid?
No. The transition period ended on 31 October 2025. All ISO 27001:2013 certificates have expired. Organisations must certify or recertify against the 2022 version. Certification bodies will only issue new certificates against ISO 27001:2022.
Do I need to implement all 93 controls?
No. The Statement of Applicability (SoA) determines which controls apply to your organisation based on the results of your risk assessment. Controls that are not relevant to the identified risks can be excluded, provided the exclusion is documented and justified. However, exclusions are scrutinised during audit, and auditors expect a clear rationale for each one.
How Copla Supports ISO 27001 Compliance Programmes
Transitioning to ISO 27001:2022 or certifying for the first time requires mapping controls, updating documentation, and closing gaps before the audit. Copla’s platform automates the control mapping between the 2013 and 2022 versions, generates the updated Statement of Applicability, and tracks evidence collection against each of the 93 controls. The onboarding process uses a structured intake to produce the policy and procedure documentation pack, and Copla’s consultants work alongside your team to implement controls and prepare for the Stage 1 and Stage 2 certification audits. For organisations that also maintain SOC 2, NIS2, or DORA compliance, Copla’s cross-mapping capability means controls documented for ISO 27001 carry over to other frameworks without duplicating effort.
Book a consultation with Copla to walk through how this would look for your team.
